I have following data in splunk in two different sourcetypes
index="xyz" sourcetype="assets"
name
--------
SERVER01
SERVER02
SERVER03
index="xyz" sourcetype="computers"
name
--------
SERVER02
SERVER03
SERVER05
i am trying to fetch data which is not matching in both sourcetypes
name
--------
SERVER01
SERVER05
i tried doing data selection using outer join as mentioned below but seems its not working
index="xyz" sourcetype="assets"
| table name
| join type=outer name
[| search index="xyz" sourcetype="computers"
| table name]
| table name
Please suggest
The stats command can do that. Collect the servers from each sourcetype and count their number. Those with a count of 1 don't match.
index=xyz (sourcetype=assets OR sourcetype=computers)
| stats count by name
| where count = 1
| table name